California Revises Draft Privacy Regulations

Full implementation for the California Consumer Privacy Act (CCPA) continues to be a piecemeal affair. The California Attorney General (AG) released updated draft implementing regulations earlier this month. The updates to the pending regulations are designed to (1) bring more clarity and (2) respond to the input the AG’s office has received from the public at large about how the CCPA should work.

The new draft rules are open for public comment, which likely will produce additional changes to the draft before it takes effect. The AG’s rules will apply in addition to the requirements imposed by the statute itself; when they are finalized and take effect, the rules are likely to create additional compliance requirements to what was contained in the CCPA as drafted.

The chief changes from version 1 of the draft rules are as follows:

PROS

• The definition of covered “personal information” has been clarified and, for most companies, made slightly narrower.
• The time frame for acknowledging a consumer request has been extended.
• The requirement to develop a “web form” to submit consumer requests via website has been removed.
• There is some clarification of how to treat personal information contained in backup systems.

CONS

• The role of “service providers” has been narrowed and now has several new ambiguities in it.
• There is more emphasis on providing accessible notice on websites (for visually or other impaired consumers).
• Notice requirements for mobile and potentially other platforms have become more complex.

If you do business in California and meet any of the CCPA’s size thresholds (most commonly: your business makes $25 million or more a year, or it collects information from 50,000 or more consumers or devices), check with your privacy counsel on whether the updated regulations might affect you.

Even if you have already updated your privacy policy or taken other steps in anticipation of the CCPA, these new draft regulations may have an impact on your existing plans if they take effect as written, because they would change the CCPA’s requirements that existed when the Act took effect on January 1, 2020. The ongoing changes should be monitored and reviewed with counsel to ensure continued compliance.